Tesco Bank hack: How it happened and what you can do to protect your account

Cyber-criminals broke into Tesco Bank’s computer system last weekend and stole £2.5million from the current accounts of 9,000 customers – the largest ever cyber-attack on a UK bank to have resulted in a mass loss of money. One in 15 of the bank’s 136,000 current accounts were affected.

According to the band, existing direct debits, cashpoint withdrawals and the use of chip and PIN card payments were still permitted. By Tuesday evening normal services had resumed and refunds had been given.

Net loss: £2.5million was taken in the online raid

How did it happen?

Tesco Bank says it will work with authorities and regulators to investigate the ‘systemic and sophisticated attack’. But it has yet to shed light on how it happened or who was behind it. An investigation is being led by the National Crime Agency.

Andrew Bailey, chief executive of city regulator the Financial Conduct Authority, said the attack was ‘unprecedented in the UK’.

Share this article

HOW THIS IS MONEY CAN HELP

Mark Weston, head of information technology at international law firm Hill Dickinson, says: ‘If this was an inside job then we must acknowledge that no bank is foolproof and Tesco Bank may have been unlucky to be the one that was hit.

‘If this was an external attack on Tesco Bank’s systems, then it is not alone. It just happens this one was successful.’

How you can protect yourself

1. Verify any emails or calls you get about fraudulent activity on your bank account. Do this by contacting your bank separately using a different web page, rather than clicking on links in emails, or by calling them from a different phone to the one you were contacted on.

4. Familiarise yourself with common frauds and how they work. Register with Action Fraud Alert for free – run by the City of London Police – to receive regular information about scams and frauds in your area. Visit actionfraudalert.co.uk.

TalkTalk and Yahoo! have suffered cyber-attacks. But these were different in that hackers stole personal information rather than money.

Nearly 157,000 TalkTalk customers had personal data exposed – including names, addresses, dates of birth, phone numbers and email addresses. Hackers also obtained bank account details and sort codes of around one in ten of those customers affected.

Once stolen this information can be sold on to other criminals and used to target customers in other types of fraud such as identity theft – where accounts can be opened or goods ordered in a victim’s name.

The data breach at Yahoo! was the biggest to date in terms of numbers affected, with personal details stolen from 500 million user accounts. The hack occurred in 2014 but only came to the public’s attention this year. Tesco Bank confirmed no personal data was compromised in this latest attack.

I am a Tesco customer – should I move to a new bank?

All banks are vulnerable to fraud so there is nothing to say you would be safer elsewhere. All banks must issue full refunds for fraud so long as a customer was not negligent – for example, by giving out a PIN or password.

But if you no longer feel your money is safe it is easy to move it. You can switch automatically using the official Current Account Switch Service. Just let the new bank know you want to use the service. Everything will be transferred within seven working days and the old account closed.

Consumer group Which? rates online bank First Direct, its parent bank HSBC and Barclays best for online security, followed by M&S Bank and Nationwide Building Society.

Which bank is likely to be hit next?

Attempted attacks on banks are common – even if they have not been successful.

Weston says: ‘All banks are constantly under cyber-attack. Such attacks will increase as hacking skills and tools spread.

‘The question is how a bank manages its customers in terms of the speed of giving back money and plugging holes in its security. That is the measure of a successful bank in terms of customer trust.’

What about other fraud risks?

Although cyber-attacks are worrying and can prevent access to your money, banks are legally-bound to reimburse you.

This is not the case if you fall victim to fraudulent emails and phone calls.

An email might warn of suspicious activity on your account and encourage you to click on a link to update your bank details. This practice is known as ‘phishing’ – with emails often containing links which, if you click on them, download spyware on to your computer so fraudsters can ‘see’ you log in to online accounts.

Alternatively, a convincing fraudster on the phone might talk you into moving money to a ‘safe account’ or disclosing passwords – known as ‘vishing’. Unfortunately you are unlikely to be refunded.

Advertisement

Share or comment on this article:

Tesco Bank hack: How it happened and what you can do to protect your account